itlawwikiaorg-20200214-history
Access control
Definitions Access control (sometimes abbreviated as AC): * is "limiting the flow of information from the resources of a system only to authorized persons, programs, processes or other system resources on a network.Compendium of Approved ITU-T Security Definitions, at 2. * is "a means to ensure that access to assets is authorized and restricted based on business and security requirements.Framework for Cyber-Physical Systems, at 5. * includes "procedures, physical barriers and security personnel provided to limit access to sensitive areas."NIST, FIPS 31. * is "the granting or denying to a subject of certain permissions to access a resource (e.g., to view a certain file, to run a certain program)."Cryptography's Role in Securing the Information Society, App. B, Glossary, at 353. * is "prevention of unauthorized use of a resource, including the prevention of use of a resource in an unauthorized manner."ISO/IEC 18028-2: 2006-02-01. * is "protection of resources against unauthorized access; a process by which use of resources is regulated according to a security policy and is permitted by only authorized system entities according to that policy.RFC 2828. * is "the process of granting or denying specific requests: 1) for obtaining and using information and related information processing services; and 2) to enter specific physical facilities (e.g., federal buildings, military establishments, and border crossing entrances)."FIPS 201. * "restricts the ability of unknown or unauthorized users to view or use information, hosts, or networks. Access control technologies can help protect sensitive data and systems. Access controls include boundary protection, authentication, and authorization technologies."Technology Assessment: Cybersecurity for Critical Infrastructure Protection, at 44. * is "the mechanisms for limiting access to certain information based on a user's identity and membership in various predefined groups. Access control can be mandatory, discretionary, or role-based."Privacy Technology Focus Group Final Report, App. B, at 49. * is "a procedure to identify and/or admit personnel with proper security clearance and required access approval(s) to information or facilities using physical, electronic, and/or human controls.Intelligence Community Standard 700-01, at 2. Overview A basic management objective for any organization is to protect the resources that support its critical operations and assets from unauthorized access. Organizations accomplish this by designing and implementing controls that are intended to prevent, limit, and detect unauthorized access to computer resources (e.g., data, programs, equipment, and facilities), thereby protecting them from unauthorized disclosure, modification, and loss. There are two types of access control: physical access control and logical access control. Specific access controls include system boundary protections, identification and authentication of users, authorization restrictions, cryptography, protection of sensitive system resources, and audit and monitoring procedures. Without adequate access controls, unauthorized individuals, including intruders and former employees, can surreptitiously read and copy sensitive data and make undetected changes or deletions for malicious purposes or for personal gain. In addition, authorized users could intentionally or unintentionally modify or delete data or execute changes that are outside of their authority. Forms of access controls Controlling access can be based on any or a combination of the following: * User identity * Role memberships * Group membership * Other information known to the system. By controlling who can use an application, database record, or file, an organization can help to protect that data. It is particularly important to control who is allowed to enable or disable the security features or to change user privileges. Users need to ensure that secure applications sufficiently manage access to data that they maintain. Access control includes any or all of the following: knowing who is attempting access, mediating access according to some processing rules, and managing where or how data is sent. * Identity-based Access Control. A security policy based on comparing the identity of the subject (user, group of users, role, process, or device) requesting access and the authorizations for this identity associated with the object (system resource) being accessed. * Information Flow Control. Information flow policies dictate whether information with a particular characteristic can move from one controlled entity (container or subject) to another. Information flow control is based on some fundamental characteristic of the information (not the container), and might not involve an identifiable subject. References See also * Access control card * Access control center * Access control check * Access Control Decision Function * Access Control Enforcement Function * Access control function * Access control information * Access control label * Access control list * Access control measures * Access control mechanisms * Access control policy * Access control procedures * Access control service * Access control software * Access control system * Access control technologies * Logical access control * Logical Access Control Systems * Discretionary access control * Mandatory access control * Physical access control * Physical Access Control System * Role-based access control * Virtual access controls Category:Technology Category:Security Category:Definition